Lame U/P Combos Make WordPress Irresistible to Hackers

Failure to heed the most basic security advice has made tens of thousands of WordPress servers vulnerable to a massive brute force attack that ultimately could result in the creation of a botnet of Incredible Hulk proportions. This particular attack wouldn't be possible without the passive assistance of WordPress bloggers and site admins who chose feeble entries like "admin" as their usernames and easily guessed sequences like "123456" as their passwords.

By Richard Adhikari
Apr 16, 2013 5:00 AM PT

An attack of unprecedented proportions has been hitting sites using
WordPress, a free and open source blogging tool and content management system that powers more than 60 million websites worldwide.

CloudFlare said it blocked 60 million requests against its WordPress customers in one hour, according to reports.

It appears the hackers are trying to take over WordPress servers to give them added muscle for future attacks. Poor choice of passwords and inadequate server security are making their task easier.

"This particular style of brute force attack is not that difficult to defend against," Marty Meyer, president of
Corero Network Security, told LinuxInsider. "The attackers are just trying to take advantage of people who implement WordPress-based blogs and sites who either do not understand basic security principles or who just choose to ignore them."

Easy Peasy

The attacker's botnet is hitting WordPress sites and
trying to log in with the "admin" username and various passwords, said WordPress cofounder Matt Mullenweg.

Variations of the username "admin" and the word "root" are among the usernames the botnet is reportedly targeting. Passwords the botnet is said to be trying most often are "admin," "123456" and "12345678."

The problem can be traced to users and is also partly due to WordPress offering its users a choice. WordPress 3.0, released about three years ago, let users pick a custom username on installation and most people used "admin" as their default username, Mullenweg stated.

WordPress users employing the password "admin" should change it and use a strong password, he suggested. Those on WP.com should turn on two-factor authentication and ensure they've got the latest version of WordPress installed.

Filtering out suspect IP addresses or trying to throttle logins won't work, because with more than 90,000 IP addresses under its belt, the botnet could launch an attack from a different IP address every second for 24 hours, Mullenweg pointed out.

The WordPress Foundation did not respond to our request for further details.

The Weakness of the Many

"Vulnerabilities in WordPress have often been exploited with mass compromises," Charles Renert, vice president of
Websense Labs, told LinuxInsider. "These attacks seem to come with an alarming frequency."

Joomla, an open source content management system, reportedly also has come under attack, and more such attacks can be expected in the future.

"As we predicted, the bad guys
will routinely test the integrity of content management systems and service platforms as they increase in popularity," Renert remarked. "Attacks will continue to exploit legitimate Web platforms such as Joomla, Drupal and phpWind, requiring CMS administrators to pay greater attention to updates, patches and other security measures."

Security researchers warned late last year that hackers
were attacking WordPress and Joomla sites, offering fake antivirus software to their users, TheNextWeb reported.

A Joomla spokesperson was not immediately available to provide further details.

Protecting Against Brute Force Attacks

Changing usernames and implementing two-factor authentication "should prevent the attack from affecting the security of the data, but some accounts may experience performance or availability issues when trying to process all the unwanted traffic coming in as part of a brute force attack," Meyer said.

One good approach to eliminating unwanted traffic would be to have good perimeter security, such as firewalls, in front of servers hosting accounts, he suggested.

Users whose WordPress accounts are hosted by a third party should do due diligence on how data hosters protect servers from unwanted traffic and distributed denial of service attacks, said Meyer.

"Make sure you understand the network security capabilities of third-party server hosters," he stressed, "and use two-factor authentication for administrative accounts on these servers."